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DETAILED ACTION 

This Action is in response to communications filed 2/29/08. 
Claims 1-64 are pending in this application. 

Response to Arguments 
Applicant's arguments filed in the communications with respect to claims 1-64 have been 
fully considered but are moot in view of the new ground(s) of rejection, as necessitated by the 
claim amendments. 

Examiner's Comments 

During patent examination, the pending claims must be "given >their< broadest 
reasonable interpretation consistent with the specification." > In re Hyatt, 211 F.3d 1367, 1372, 
54 USPQ2d 1664, 1667 (Fed. Cir. 2000). Although the claims are interpreted in light of the 
specification, limitations from the specification are not read into the claims. See In re Van 
Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). 

Applicant always has the opportunity to amend the claims during prosecution, and broad 
interpretation by the examiner reduces the possibility that the claim, once issued, will be 
interpreted more broadly than is justified. In re Prater, 415 F.2d 1393, 1404-05, 162 USPQ 541, 
550-51 (CCPA 1969). 

In the communications filed 2/29/08, applicant has raised and/or argued various subject 
matter and/or features that are not recited in the claims. 
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For example: 

Applicant submits that the claim amendments makes it clear that applicant's invention is 
directed to repeatedly checking (e.g. every few second) the user's computers for compliance 
(remarks, pg. 13)... in this manner, applicant's claimed invention provides around-the-clock 
protection of networks so that. . .as those combined references provide no teaching or suggestions 
for continual, router-initiated monitoring of client computers. ..applicant's invention regulates 
Internet access by continually challenging client computers to prove. ..(remarks, pg. 11-14 [A]). 

Applicant further submits "...making decision about whether or not to permit access 
based on a client computer's then-current compliance with any applicable access policy... the 
client hello. . ." (remarks, pg. 14-15 [B] and claim 6 and 30). 

Applicant further submits "...Particular applications in this context may mean that a 
certain version (namely, the current version) of antivirus software must be installed. . ." (remarks, 
pg. 15 [C] and claim 13-16, etc). 

Currently Amended Independent claim 1, in part, recites: 

"...transmitting a plurality of challenges over a period of time from said client 

premises equipment to each client computer for. . ." 

The feature "transmitting a plurality of challenges over a period of time..." can simply be 
interpreted as a single transfer of plurality of challenges over a period of time. For example: 
transmitting plurality of challenges over 10 seconds. 

The claim simply fails to disclose, teach and/or suggest any of the features as submitted 
by the applicant. More specifically, there is nothing in the claim that would suggest the 
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providence of around-the-clock and/or continual challenging client computers, applications are 
in view of antivirus software, etc. 

It's clearly seen that applicant is improperly transporting and/or reading the limitations 
from the specification into the claims. 

Also, in light of applicant's failure to traverse the examiner's assertion of official notice, 
the well-known in the art statement is taken to be admitted prior art. 

Claim Rejections - 35 USC § 112 

In response filed, applicant failed to address the 35 USC 112, second paragraph rejection 
presented in the previous office action. 

The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

Claims 7, 41 and 52 are rejected under 35 U.S.C. 112, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 

Regarding claims 7, 41 and 52, the phrase "others" renders the claim(s) indefinite 
because it is unclear which one of the plurality of clients the term is referring to, thereby 
rendering the scope of the claim(s) unascertainable. See MPEP § 2173.05(d). 
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Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

1. Claims 1-5, 7-12, 17-22, 24, 27-29, 31-33, 35-39, 45-55, 57 and 61 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Stockwell et al. (hereinafter Stockwell, US 5,950,195) 
in view of Phillips et al. (hereinafter Philips, US 6,721,555 Bl). 

As per claim 1 , Stockwell discloses a system comprising one or more client computers 
connected to the Internet by client premises equipment serving a routing function for client 
computers (fig. 1: the computers connected to internal network, col. 4 L21-42: a firewall 
gateway), a method for managing Internet access based on a specified access policy (col. 1 L5- 
10, col. 3 L16-54, col. 5 L16-22: access policies), the method comprising: 

a challenge/response sequence for determining whether a given client computer is in 
compliance with said specified access policy (col. 5 LI 6 to col. 6 L67, col. 9 LI -60); 

blocking Internet access for any client computer that does not respond appropriately to 
any challenge issued to it (col. 5 LI 6 to col. 6 L67, col. 9 LI -60: blocking the Internet access by 
dropping the connection, col. 1 1 L5-67). 

However, Stockwell does not explicitly disclose the process of transmitting plurality of 
challenges over a period of time from said client premises equipment to each client computer for 
determining whether a given client computer remains in compliance with policy during period of 
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time and transmitting a response from at least one client computer back to said client premises 
equipment for responding to each of challenges that has been issued. 

Philips explicitly discloses an Internet access device that performs the process of 
transmitting a plurality of challenges over a period of time from said client premises equipment 
to each client computer for determining whether the given client computer remains in 
compliance and transmitting a response from at least one client computer back to said client 
premises equipment for responding to each of said challenges that has been issued (col. 4 L50- 
67, col. 5 L6 to col. 6 L28, col. 7 L4-9: IFW with router). 

Therefore, it would have been obvious to a person of ordinary skilled in the art at the time 
the invention was made to modify Stockwell in view of Philips in order transmit a plurality of 
challenges over period of time to the client computer and receiving a response to the challenges. 

One of ordinary skilled in the art would have been motivated because it would have 
provided a mechanism for periodically verifying the users and/or clients (Phillips: col. 5 L19- 
64). 

As per claim 2, Stockwell discloses the process wherein a client computer that does not 
respond at all is blocked from Internet access (col. 5 L16 to col. 6 L67, col. 9 LI -60: blocking 
the Internet access by dropping the connection; its also obvious that if the client doesn't respond 
to the username/pswd prompt, the client will not be allowed to access the Internet). 

As per claim 3, Stockwell discloses the process wherein a client computer that responds 
with a particular predefined code indicating non-compliance is blocked from Internet access (i.e. 
invalid response, col. 5 LI 6 to col. 6 L67, col. 9 LI -60: its obvious that if client responds to the 
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challenge with incorrect information or code, the client will be blocked or not allowed to access 
the Internet). 

As per claim 4, Stockwell discloses the process wherein a client computer that responds 
with a particular predefined code indicating compliance is permitted Internet access (col. 5 LI 6 
to col. 6L67, col. 9L1-60). 

As per claim 5, Stockwell discloses the process wherein before a receipt of a challenge, 
transmitting an initial message from a particular client computer to the client premises equipment 
for requesting the client premises equipment to transmit a challenge to that particular client 
computer (i.e. transmitting an initial connection request message that enables the firewall to send 
the challenge, col. 5 L53 to col. 6 L67, col. 8 L38 to col. 9 L60, col. 14 L5-55). 

As per claim 7, Stockwell discloses the process wherein client premises equipment is 
capable of permitting Internet access by selected client computers and denying access to other 
client computers (col. 10 L12 to col. 11 L46, col. 11 L47 to col. 13 L67: several examples of 
ACLS, col. 8 L38-45). 

As per claim 8, Stockwell disclose the process wherein access policy specifies rules that 
govern Internet access by the client computers (fig. 5, col.l L40 to col. 2 L67, col. 5 LI 6-46, col. 
6 L46 to col. 7 L67, col. 10 L12 to col. 1 1 L67). 

As per claim 9, Stockwell discloses the process of determining whether permitting 
Internet access for a given client computer would violate any of rules and if permitting such 
Internet access would violate any of said rule, denying Internet access for that client computer 
(fig. 5, col.l L40 to col. 2 L67, col. 5 L16-46, col. 6 L46 to col. 7 L67, col. 10 L12 to col. 11 
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L67: its obvious that this determination will be made in order to deny or allow the Internet 
access). 

As per claim 10, Stockwell discloses the process wherein access policy includes rules that 
are enforced against selected ones of users, computers and groups thereof (col. 10 L12 to col. 1 1 
L67). 

As per claim 11, Stockwell discloses the process wherein said access policy specifies 
which applications are allowed Internet access (col. 5 L16-22, col. 7 Ll-45, col. 8 L20-30: ftp 
and http type of accesses, col. 10 L12-67: Matching criteria for rule including: a list of service 
names such as ftp or http, in other words, a list of applications). 

As per claim 12, Stockwell discloses the process wherein said access policy specifies 
applications that are allowed Internet access (col. 5 L16-22, col. 7 Ll-45, col. 8 L20-30: ftp and 
http type of accesses, col. 10 L12-67: Matching criteria for rule including: a list of service names 
such as ftp or http, in other words, a list of applications). 

As per claim 17, Stockwell discloses the process wherein said access policy specifies 
Internet access activities that are permitted or restricted for applications or version thereof (col. 5 
L16-22, col. 7 Ll-45, col. 8 L20-30: for http, types of URLs blocked, col. 10 L12-67, col. 11 
L35-41,col. 14L13-24). 

As per claim 18, Stockwell discloses the process wherein said access policy specifies 
rules that are transmitted to client computers from a remote location (col. 8 L38 to col. 9 L60, 
col. 1 1 L5-67). 
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As per claim 19, Stockwell discloses the process wherein the remote location comprises a 
centralized location for maintaining said access policy (col. 5 L35-46, col. 7 Ll-67, col. 8 L38 to 
col. 9 L60, col. 1 1 L5-67: a relational database). 

As per claim 20, Stockwell discloses the process wherein the process of blocking Internet 
access includes determining, based on identification of a particular client computer or group 
thereof, a specific subset of rules filtered for that particular client computer or group thereof (col. 
5 L16 to col. 6 L67, col. 7 Ll-67, col. 8 L38 to col. 9 Ll-60, col. 10 L12 to col. 11 L67, col. 13 
LI 1 to col. 14L55). 

As per claim 21, Stockwell discloses the process wherein challenge includes a request for 
a particular client computer to respond as to whether it is in compliance with said access policy 
(col. 5 L16 to col. 6 L67, col. 9 Ll-60). 

As per claim 22, Stockwell discloses the process of redirecting a client computer that is 
not in compliance with said access policy to a sandbox server (i.e. a server, col. 7 L45 to col. 8 
L20, col. 11 L5 to col. 12 L44) and informing client computer that it is not in compliance with 
said access policy (col. 9 LI to col. 10 L8: sending a warning message to the client in response to 
denied connection). 

As per claim 46, Stockwell discloses the system wherein said client premises equipment 
includes a router (col. 4 L8-42). 

As per claim 47, Stockwell discloses the system wherein said access policy is provided at 
client computer to be regulated (col. 3 L18-54, col. 5 L16-67). 

As per claim 48, Stockwell discloses the system wherein enforcement module is provided 
at client premises equipment (fig. 2, col. 4 L21-42, col. 5 L16-67). 



Application/Control Number: 09/944,057 Page 10 

Art Unit: 2100 

As per claims 24, 27-29, 31-33, 35-39, 45, 49-55, 57, 61, they do not teach or further 
define over the limitations 1-5, 7-12, 17-22, 46-48. Therefore claims 24, 27-29, 31-33, 35-39, 45, 
49-55, 57, 61 are rejected for the same reasons as set forth in claims 1-5, 7-12, 17-22, 46-48. 

2. Claims 6 and 30 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Stockwell et al. (hereinafter Stockwell, US 5,950,195) in view of Philips et al. (hereinafter 
Philips, US 6,721,555 Bl), and further in view of Kadyk et al. (hereinafter Kadyk, US 6,996,841 
B2). 

As per claim 6, Stockwell in view of Phillips does not disclose the process wherein the 
initial message comprises a "client hello" packet. 

Kadyk explicitly discloses the process of sending the "client hello" packet to the server 
(fig. 3 A, col. 10 L20-52). 

Therefore, it would have been obvious to a person of ordinary skilled in the art at the time 
the invention was made to modify Stockwell in view of Phillips and further in view of Kadyk in 
order send a client hello packet. 

One of ordinary skilled in the art would have been motivated because it would have 
created a secured session (col. 10 L20-52). 

As per claim 30, it does not teach or further define over the limitations in claim 6. 
Therefore claim 30 is rejected for the same reasons as set forth in claim 6. 
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3. Claims 13-16, 34, 42-44, 56 and 58-60 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Stockwell et al. (hereinafter Stockwell, US 5,950,195) in view of Philips et al. 
(hereinafter Philips, US 6,721,555 Bl), and further in view of "Official Notice". 

As per claim 13, Stockwell in view of Phillips disclose the process wherein the 
applications are specified by executable name (col. 13 L10-67, col. 12 L10-67). 

However, Stockwell in view of Phillips does not disclose the process wherein the 
applications are specified by version number. 

But, application name and the version number are two common parameters used in the art 
for identifying applications. 

Therefore, Official Notice is taken to indicate that specifying the applications by 
executable name and version number is well-known in the art. 

As such, it would have been obvious to a person of ordinary skilled in the art at the time 
the invention was made to modify Stockwell and Phillips in order to use the executable name and 
version number of the applications. 

One of ordinary skilled in the art would have been motivated because these are common 
parameters used for identifying the applications. 

As per claims 14-16, Stockwell in view of Phillips does not disclose the process wherein 
the applications are specified by digital signatures, wherein the digital signatures are computed 
using cryptographic hash, and wherein the cryptographic hash comprises one of Secure Hash 
algorithm (SHA-1) and MD5 cryptographic hashes. 
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But, Secure Hash algorithm (SHA-1) and MD5 cryptographic hashes, digital signatures 
are all well-known in the art, as explicitly admitted by the applicant (see specification, pg. 29 
lines 14-31, pg. 10 lines 24-41). 

Therefore, it would have been obvious to a person of ordinary skilled in the art at the time 
the invention was made to modify Stockwell and Phillips in order to specify the applications 
using hashing techniques. 

One of ordinary skilled in the art would have been motivated because it would have 
provided secure communications. 

As per claims 34, 42-44, 56 and 58-60, they do not teach or further define over the 
limitations in claims 13-16. Therefore, claims 34, 42-44, 56 and 58-60 are rejected for the same 
reasons as set forth in claims 13-16. 

4. Claims 23, 25, 26, 40, 41 and 62-64 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Stockwell et al. (hereinafter Stockwell, US 5,950,195) in view of Philips et al. 
(hereinafter Philips, US 6,721,555 Bl), and further in view of Shrader et al. (hereinafter Shrader, 
US 6,026,440). 

As per claim 23, Stockwell in view of Phillips discloses the process of redirecting the 
client computer that is not in compliance with said access policy to a particular port on the 
sandbox server (i.e. an alternate machine or server, col. 7 L45 to col. 8 L20, col. 1 1 L5 to col. 12 
L44). 

However, Stockwell in view of Phillips does not disclose the process of displaying error 
message pages on the sandbox server in response to communications on particular ports. 
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Shrader explicitly discloses the process of displaying error messages on a server if the 
request fails (col. 4 L40-67, obviously the request will fail on a particular machine or port, in this 
case at the web server port). 

Therefore, it would have been obvious to a person of ordinary skilled in the art at the time 
the invention was made to modify Stockwell in view of Phillips and further in view of Shrader in 
order to display the error messages on the sandbox server or alternate server. 

One of ordinary skilled in the art would have been motivated because it would have 
notified the client computer of the denial of the service (Shrader, col. 4 L56-667). It would have 
also improved the routers performance by redirecting the unauthorized client computers to 
alternate server. 

As per claim 26, Stockwell in view of Phillips does not disclose the process wherein after 
displaying error message, permitting said client to elect to access the Internet. 

Shrader discloses the process of displaying the error in response to inappropriate 
credentials and allowing the client to elect or to access the Internet by prompting the user (col. 4 
L56-67). 

Therefore, it would have been obvious to a person of ordinary skilled in the art at the time 
the invention was made to modify Stockwell in view of Phillips and further in view of Shrader in 
order to enable the client to elect to access the Internet. 

One of ordinary skilled in the art would have been motivated because it would have 
provided the client computer another opportunity to access the Internet. 
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As per claims 25, 40, 41 and 62-64, they do not teach or further define over the 
limitations in claims 23 and 26. Therefore claims 25, 40, 41 and 62-64 are rejected for the same 
reasons as set forth in claims 23 and 26. 



Additional References 

The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

a. Freeman, US 6,330,588 Bl : Verification of Software agents and agent activites. 

b. Treadaway et al, US 6,665,285 Bl: Ethernet Switch in a terminal for a wireless 
MAN. 

c. RFC 1321: MD5 Cryptographic algorithm. 

d. Davis et al, US 6,088,450: Authentication System based on periodic 
challenge/response protocol. 

e. Abraham et al, US 5,983,270 : Method and Apparatus for Managing Internetwork 
and Intranetwork activity: A Router and/or Firewall for managing Internet Access. 

f. Nykanen et al, US 6,594,483: discloses using the application names for 
identifying purposes. 

g. Hammond, US 5,974,470: discloses using the version number for applications in 
setting rules. 
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Conclusion 

The teachings of the prior art should not be restricted and/or limited to the citations by 
columns and line numbers, as specified in the rejection. Although the specified citations are 
representative of the teachings of the art and are applied to specific limitations within the 
individual claim, other passages and figures may apply as well. It is respectfully requested from 
the applicant in preparing responses, to fully consider the references in its entirety as potentially 
teaching all or part of the claimed invention, as well as the context of the passage as taught by 
the prior art or disclosed by the examiner. 

In the case of amendments, Applicant is respectfully requested to indicate the portion(s) 
of the specification which dictate(s) the structure relied on for proper interpretation and support, 
for ascertaining the metes and bounds of the claimed invention. 

Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to KAMAL B. DIVECHA whose telephone number is (571)272- 
5863. The examiner can normally be reached on Increased Flex Work Schedule. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, John Follansbee can be reached on 571-272-3964. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Kamal Divecha/ 

Kamal Divecha 
Art Unit 2151 
/John Follansbee/ 

Supervisory Patent Examiner, Art Unit 2151 



